Solved: Re: ISE DACL Over ASA VPN

s1nsp4wn · ‎05-21-2020

I'm having a weird issue with DACLS for users that VPN in and belong to specific AD groups:

Ultimately I have a DACL that I want assigned to users with a certain AD group membership when they hit our ASA via SSL VPN. My tunnel group uses ISE for authorization and it's configured as a Radius server. On ISE, I have the ASA in my device list and have a policy that points users that belong to a certain AD group known to ISE to an authorization profile that has my DACL tied to it. I know communication between ISE and ASA is present by looking at my radius logs. The funnything is if I try using ISE as my authentication server (which I don't plan to, I have another server for that) I can't login to VPN but get the DACL in the logs. If I do not use ISE for authC and purely use it for authZ, I can access the vpn fine, I just don't get the DACL.

Anybody got tips on what i'm missing?

ISE 2.6

s1nsp4wn · ‎05-22-2020

Thanks everyone. Figured out my own problem. Turns out the dacl I was sending was over restrictive! Once I made some additions to the permissions things work great!

View solution in original post

Francesco Molino · ‎05-21-2020

Hi
Do you have the authorization log on ISE showing the right authorization profile is pushed?
Have you run radius debugs to see if the dacl is being pushed but ASA isn't accepting it for whatever reason?
Which ASA version are you running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

s1nsp4wn · ‎05-22-2020

I'l work on the debugs, but I get the proper profile. It's just that I don't get the dacl when not using ISE for authc. I get the dacl when using ISE for authc.

poongarg · ‎05-22-2020

Looks like when you are just using authorization from ISE, you are hitting different authorization policy on ISE, but when using authentication and authorization both via ISE, different policy. Please confirm.

Attach the authentication report for both scenarios along with the dacl content (what you are permitting).

-Also need to take a look into the "sh tech" of the ASA

s1nsp4wn · ‎05-22-2020

Heavily-sanitized, but my ASA tunnel group uses ISE for authc, authz, and accounting on the first session detail out below you'll see below where it appears I get the dacl, but I don't want to use ISE for authc as we have something else for that. The second session output detail closer to the bottom is when the tunnel group uses ISE for authz and acct only as I want. I use the same ad credentials for both yet it I get failure on the first. Makes sense cus I don't use ISE for authc, but why do I get the dacl?

ASA 9.8.4.20

aaa-server test protocol radius
authorize-only
dynamic-authorization
aaa-server test (INSIDE) host x.x.x.x
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server test (INSIDE) host x.x.x.x
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
!
group-policy test internal
group-policy test attributes
dns-server value x.x.x.x
dhcp-network-scope x.x.x.x
!
tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group ****
authorization-server-group test
accounting-server-group test
default-group-policy test
dhcp-server x.x.x.x

Result
RadiusPacketType AccessReject
AuthenticationResult Failed

Session Events
2020-05-21 18:49:35.904 DACL Download Succeeded
2020-05-21 18:49:35.901 Authentication failed
2020-05-21 18:49:35.874 Authentication succeeded

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15041 Evaluating Identity Policy
15048 Queried PIP - Radius.Called-Station-ID
15048 Queried PIP - Normalised Radius.RadiusFlowType (4 times)
22072 Selected identity source sequence - All_User_ID_Stores
15013 Selected Identity Source - Internal Users
24216 The user is not found in the internal users identity store
15013 Selected Identity Source - All_AD_Join_Points
24430 Authenticating user against Active Directory - All_AD_Join_Points
24323 Identity resolution detected single matching account
24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD
24408 User authentication against Active Directory failed since user has entered the wrong password - All_AD_Join_Points
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject

Authentication Policy AuthC
Authorization Policy AuthZ
Authorization Result AuthZ
Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII
cisco-av-pair ACS:CiscoSecure-Defined-ACL=#ACSACL#-TEST-2ae46n
cisco-av-pair profile-name=Workstation
LicenseTypes Base license consumed

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15041 Evaluating Identity Policy
15048 Queried PIP - Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name
22072 Selected identity source sequence - All_User_ID_Stores
15013 Selected Identity Source - Internal Users
24216 The user is not found in the internal users identity store
15013 Selected Identity Source - All_AD_Join_Points
24430 Authenticating user against Active Directory - All_AD_Join_Points
24323 Identity resolution detected single matching account
24402 User authentication against Active Directory succeeded - All_AD_Join_Points
22037 Authentication Passed
24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy
24211 Found Endpoint in Internal Endpoints IDStore
24323 Identity resolution detected single matching account
11022 Added the dACL specified in the Authorization Profile
22081 Max sessions policy passed
22080 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept

s1nsp4wn · ‎05-22-2020

Thanks everyone. Figured out my own problem. Turns out the dacl I was sending was over restrictive! Once I made some additions to the permissions things work great!

obadillaa · ‎11-12-2021

I have the same problem. We have a ISE v2.7 patch4 deployment and a ASA for Remote VPN. Our ISE has a policy set for VPN access. This policy set has an Authorization policy which validates username, AD access group and Public IP (one policy per user), if everything matches then a result profile is applied. This profile sets the IP, mask and DACL for the remote VPN connection. What we want is to filter user´s traffic from ISE policies (and not from ASA with a DAP for example). Problem is if DACL is applied user can not login to VPN, if we remove DACL from profile user logs in without problems. We saw a weird behavior with DACL. If DACL has a "permit ip any any" only, it works for sure (but useless), but if we add another "permit" row before, user can´t login to VPN again. It seems like DACL supports only one rule for VPN connections. We also use DACL for 802.1x/MAB access in our campus switches and none of this problems happens.

we tried reversing order of IP on DACL´s rules (destination IP first and ANY after) but got the same problem (user can not log in).

Our ISE´s live logs shows VPN authentication successful and DACL download succeeded but user got "Login failed" error.

blagov · ‎09-30-2022

were you able to resolve this issues

blagov · ‎09-30-2022

I just resolve the issue by using regular subnet mask not wildcard for the ASAs seems is different compare to the switches